1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample

General
Target

1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe

Filesize

81KB

Completed

21-09-2021 13:21

Score
10/10
MD5

5a8491587ab0f96ba141ae59365bc911

SHA1

1ab2fac4f2dc92893a9f89fc6621f66bd47cb783

SHA256

1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2

Malware Config

Extracted

Path C:\1rWCqamCt.README.txt
Family blackmatter
Ransom Note
~+ * + ' BLACK | () .-.,='``'=. - o - '=/_ \ | * | '=._ | \ `=./`, ' . '=.__.=' `=' * + Matter + O * ' . >>> What happens? Your network is encrypted, and currently not operational. We need only money, after payment we will give you a decryptor for the entire network and you will restore all the data. >>> We downloaded over 500GB company information from all domain. Data includes: - Personal company info - Finance information - Client information - Accounting and other sensitive info; To download your data we used following shares: 015-SBE-01.mmreibc.prv MMWEB-021-01.mmreibc.prv ALTERYX-PRD-02.mmreibc.prv 511-HARRIS-OLD 002-NAS-01.mmreibc.prv 003-NAS-01.mmreibc.prv 009-NAS-01.mmreibc.prv 010-NAS-01.mmreibc.prv 012-NAS-01.mmreibc.prv 013-NAS-01.mmreibc.prv 014-NAS-01.mmreibc.prv 016-NAS-01.mmreibc.prv 020-NAS-01.mmreibc.prv 022-NAS-01.mmreibc.prv 025-NAS-01.mmreibc.prv 026-NAS-01.mmreibc.prv 028-NAS-01.mmreibc.prv 029-NAS-01.mmreibc.prv 030-NAS-01.mmreibc.prv 032-NAS-01.mmreibc.prv 033-NAS-01.mmreibc.prv 034-NAS-01.mmreibc.prv 035-NAS-01.mmreibc.prv 036-NAS-01.mmreibc.prv 037-NAS-01.mmreibc.prv 039-NAS-01.mmreibc.prv 040-NAS-01.mmreibc.prv 041-NAS-01.mmreibc.prv 042-NAS-01.mmreibc.prv 045-NAS-01.mmreibc.prv 047-NAS-01.mmreibc.prv 049-NAS-01.mmreibc.prv 051-NAS-01.mmreibc.prv 052-NAS-01.mmreibc.prv 053-NAS-01.mmreibc.prv 054-NAS-01.mmreibc.prv 055-NAS-01.mmreibc.prv 056-NAS-01.mmreibc.prv 063-NAS-01.mmreibc.prv 068-NAS-01.mmreibc.prv 070-NAS-01.mmreibc.prv 082-NAS-01.mmreibc.prv 085-NAS-01.mmreibc.prv 086-NAS-01.mmreibc.prv 093-NAS-01.mmreibc.prv 098-NAS-01.mmreibc.prv 099-NAS-01.mmreibc.prv and others. If you are not going to contact us in the next 3 days, we will prepare your data for the publications. Your personal company info will be leaked and will be in the news. This will lead to a fall of your stock. >>> What guarantees? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. If we do not give you decrypters or we do not delete your data, no one will pay us in the future, this does not comply with our goals. We always keep our promises. >>> How to contact with us? 1. Download and install TOR Browser (https://www.torproject.org/). 2. Open http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/A9K0IM6DK7ILWAV908R3 >>> Warning! Recovery recommendations. We strongly recommend you to do not MODIFY or REPAIR your files, that will damage them.
URLs

http://supp24yy6a66hwszu2piygicgwzdtbwftb76htfj7vnip3getgqnzxid.onion/A9K0IM6DK7ILWAV908R3
Signatures 13

Filter: none

Defense Evasion
Discovery
Impact
  • BlackMatter Ransomware

    Description

    BlackMatter ransomware group claims to be Darkside and REvil succesor.

    Tags

  • Modifies extensions of user files
    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File renamedC:\Users\Admin\Pictures\SubmitConnect.crw => C:\Users\Admin\Pictures\SubmitConnect.crw.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\ConvertFromFind.tif => C:\Users\Admin\Pictures\ConvertFromFind.tif.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\EditConvertTo.tiff1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\ReadMount.png => C:\Users\Admin\Pictures\ReadMount.png.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\ReadMount.png.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\SkipAdd.tiff1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\SkipAdd.tiff => C:\Users\Admin\Pictures\SkipAdd.tiff.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\DenyCheckpoint.raw => C:\Users\Admin\Pictures\DenyCheckpoint.raw.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\EditConvertTo.tiff => C:\Users\Admin\Pictures\EditConvertTo.tiff.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\ReadSuspend.png.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\ApproveUse.tiff1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\ApproveUse.tiff.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\DenyCheckpoint.raw.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\ReadSuspend.png => C:\Users\Admin\Pictures\ReadSuspend.png.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\SkipAdd.tiff.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\SubmitConnect.crw.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\ApproveUse.tiff => C:\Users\Admin\Pictures\ApproveUse.tiff.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\ConvertFromFind.tif.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\EditConvertTo.tiff.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File renamedC:\Users\Admin\Pictures\EnableRemove.raw => C:\Users\Admin\Pictures\EnableRemove.raw.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    File opened for modificationC:\Users\Admin\Pictures\EnableRemove.raw.1rWCqamCt1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
  • Sets desktop wallpaper using registry
    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe

    Tags

    TTPs

    DefacementModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\1rWCqamCt.bmp"1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\1rWCqamCt.bmp"1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe

    Reported IOCs

    pidprocess
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Modifies Control Panel
    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\WallpaperStyle = "10"1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
  • Modifies registry class
    splwow64.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bagssplwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shellsplwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRUsplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffffsplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffffsplwow64.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"splwow64.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settingssplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlotssplwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000splwow64.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"splwow64.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"splwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffffsplwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0splwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02splwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffffsplwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0splwow64.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000splwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgsplwow64.exe
    Key created\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1splwow64.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    1592NOTEPAD.EXE
  • Suspicious behavior: EnumeratesProcesses
    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe

    Reported IOCs

    pidprocess
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
  • Suspicious behavior: GetForegroundWindowSpam
    splwow64.exe

    Reported IOCs

    pidprocess
    1740splwow64.exe
  • Suspicious use of AdjustPrivilegeToken
    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exevssvc.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeDebugPrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: 3610801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeImpersonatePrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeIncBasePriorityPrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeIncreaseQuotaPrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: 3310801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeManageVolumePrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeProfSingleProcessPrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeRestorePrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeSecurityPrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeSystemProfilePrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeTakeOwnershipPrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeShutdownPrivilege10801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    Token: SeBackupPrivilege2040vssvc.exe
    Token: SeRestorePrivilege2040vssvc.exe
    Token: SeAuditPrivilege2040vssvc.exe
  • Suspicious use of SetWindowsHookEx
    splwow64.exe

    Reported IOCs

    pidprocess
    1740splwow64.exe
    1740splwow64.exe
    1740splwow64.exe
  • Suspicious use of WriteProcessMemory
    1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exeNOTEPAD.EXE

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1080 wrote to memory of 159210801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exeNOTEPAD.EXE
    PID 1080 wrote to memory of 159210801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exeNOTEPAD.EXE
    PID 1080 wrote to memory of 159210801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exeNOTEPAD.EXE
    PID 1080 wrote to memory of 159210801eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exeNOTEPAD.EXE
    PID 1592 wrote to memory of 17401592NOTEPAD.EXEsplwow64.exe
    PID 1592 wrote to memory of 17401592NOTEPAD.EXEsplwow64.exe
    PID 1592 wrote to memory of 17401592NOTEPAD.EXEsplwow64.exe
    PID 1592 wrote to memory of 17401592NOTEPAD.EXEsplwow64.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\1eea3cbd729d4493c0c0a84efe6840abf1760efe221dc971d32ca5017b5c19c2.bin.sample.exe"
    Modifies extensions of user files
    Sets desktop wallpaper using registry
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Modifies Control Panel
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" /p C:\1rWCqamCt.README.txt
      Opens file in notepad (likely ransom note)
      Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        Modifies registry class
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        PID:1740
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2040
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
        Execution
          Exfiltration
            Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads

                    • C:\1rWCqamCt.README.txt

                      MD5

                      37878bee5392f7567e3595d715499ad5

                      SHA1

                      93184199ec5356334133bdf366f7be81436b73db

                      SHA256

                      6dcf00d0f01e1ee4d76b132aa1c97169270478c6ccb7e1519e89344887b8b9b5

                      SHA512

                      c52503fb4e1c440c2553200e821163af0e52259d27f4f085cd668fc84a8b64069afcdd9edfb1b6e273f8bc1e75d5ee6850eacba8a93bc64e76a335daeb529294

                      Download Submit

                    • C:\Users\Admin\Documents\CompareUse.xps.1rWCqamCt

                      MD5

                      08ce201bc5bed67e72ce322a8f173e63

                      SHA1

                      9e5c27e1a97fe2571f0bf6fec7502e5e7486e566

                      SHA256

                      d0b26396c635ef136b25d0cc948fa172bac0be32c26a5bb38570fd209a36f5d8

                      SHA512

                      0b148be1bb3529a4e1b6efbd136f2ce3b1047b6bec1aef6d5c75c23dc6e4de5e2176b499e09078ba0e2896ec974ea84e42c80087413175c0432c00fce631bfa9

                      Download Submit

                    • memory/1080-60-0x0000000075801000-0x0000000075803000-memory.dmp

                      Download

                    • memory/1080-62-0x0000000000840000-0x0000000000841000-memory.dmp

                      Download

                    • memory/1080-63-0x0000000000856000-0x0000000000857000-memory.dmp

                      Download

                    • memory/1080-61-0x0000000000845000-0x0000000000856000-memory.dmp

                      Download

                    • memory/1592-64-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1740-67-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1740-68-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

                      Download

                    • memory/1740-70-0x00000000041C0000-0x00000000041C1000-memory.dmp

                      Download